yesterday I had some funny idea: I'm running a dedicated hosted server with a static, public IPv4-address and use ssh to administer it. If you don't want port 22 to be seen as "open" from the outside there are some possibilities:
- Move sshd to another port
- Use port-knocking so that the port will be opened only for a short while (or one connection) when a specific connect-sequence has reached the server

And my idea now is:
- create a virtual network interface on the server (ip tuntap add mode tun)
- set any non-public (not routed on the internet) IPv4-address on that interface (ip addr add 192.168.123.1/24 dev tun0)
- activate that interface (ifconfig tun0 up)
- config sshd to only bind to that IP-address of the virtual interface and restart/reload sshd
- On the machines you want to connect to the server, add a new route (route add -net 192.168.123.0/24 gw <PUBLIC IP or DOMAIN/HOSTNAME>)

Then you can connect to the server using the virtual IP-address (ssh user@192.168.123.1) and the port won't be seen while port scanning

Initially I expected to configure as masquerading NAT from the physical interface of the server (eth0) to the virtual one (tun0) but that doesn't seem to be necessary.

Now a question to all network/firewalling/security-pros out there: Do I open up any security-hole that way? How do you like the idea?

Last edited by jannis on Tue Nov 06, 2012 5:04 pm; edited 1 time in total

You don't necessarily have root on all machines you want to connect from, and routers will not necessarily know how to route packets properly to a private net unless you happen to be on the same net - and thus don't need to route?

You might well just firewall everything off and use VPN to connect.

I just leave sshd open and let the storm pass. Just hoping people all have good passwords..._________________Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSDWhat am I supposed to be advocating?

VPN should be what you want. It basically does exactly that, transfers from your machine to the server in a tunnel without worrying about the network. The server has its own private address space associated with the VPN, on which the server only listens to ssh on. So if the attacker has no VPN access=no ssh access either. Plus it's an encrypted tunnel, to boot!

Again I just let ssh do what it does. But I also have VPN that I can use, and it uses a certificate system that I can revoke access to if I lose a key._________________Intel Core i7 2700K@ 4.1GHz/HD3000 graphics/8GB DDR3/180GB SSDWhat am I supposed to be advocating?